I have successfully acquired a certificate using Win-Acme installed on Windows Server 2012. The software is setup to renew using the Route53 plugin to automatically verify ownership via DNS. Win-acme does run the renewal task but it fails with an error:
An error occurred during post-validation cleanup: Unable to reach credentials server
After declining the option to rerun the renewal, the following error is displayed:
[EROR] Create certificate failed: Authorization failed: Error preparing for challenge answer
It looks like it is related to the AWS API request. I'm passing the IAM role in at the command line as well as in the software following instructions here. Not sure if the role should be just the name or the whole ARN but I've tried both. The example in this issue appears to use the name only.
Unblocked for the .Net CLR.
I have also tried to add an AWS profile in the Web_Config.xml file blindly trying to apply this answer. This does not appear to work.
I've checked firewall issues. All outbound ports are open.
Documentation is sparse but I have read and reread everything I could dig up, multiple times, and am not able to understand why this error is occurring.
Also tried to search win-acme issues (for example). No success.
Searched the Route53 plugin code to see if I could find the error. No success.
Reviewed issues on this page but nothing glaring.
Anyone able to see what I might be missing? Am I missing some AWS config that is not in the documentation?
Here is a portion of the Win-Acme log.
2020-05-29 02:57:47.427 +00:00 [INF] No command line arguments provided
2020-05-29 02:57:47.497 +00:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2020-05-29 02:57:47.499 +00:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2020-05-29 02:57:47.970 +00:00 [INF] IIS version 8.0
2020-05-29 02:57:47.974 +00:00 [INF] Running with administrator credentials
2020-05-29 02:57:48.119 +00:00 [INF] Scheduled task looks healthy
2020-05-29 02:57:48.119 +00:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2020-05-29 03:21:38.280 +00:00 [INF] Arguments: --validation route53 --validationmode dns-01 --route53iamrole MyRoleName --verbose
2020-05-29 03:21:38.318 +00:00 [DBG] Renewal period: 55 days
2020-05-29 03:21:38.328 +00:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2020-05-29 03:21:38.329 +00:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2020-05-29 03:21:38.340 +00:00 [VRB] SecurityProtocol setting: "SystemDefault"
2020-05-29 03:21:38.736 +00:00 [DBG] Connection OK!
2020-05-29 03:21:38.739 +00:00 [INF] IIS version 8.0
2020-05-29 03:21:38.744 +00:00 [INF] Running with administrator credentials
2020-05-29 03:21:38.797 +00:00 [INF] Scheduled task looks healthy
2020-05-29 03:21:38.798 +00:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2020-05-29 03:21:38.799 +00:00 [VRB] Test for international support: 語言 язык لغة
2020-05-29 03:22:11.633 +00:00 [INF] Running in mode: "Interactive, Advanced"
2020-05-29 03:22:26.213 +00:00 [INF] Target generated using plugin Manual: *.mydomain.com
2020-05-29 03:23:32.456 +00:00 [VRB] Adding 8.8.8.8 as DNS server
2020-05-29 03:23:32.457 +00:00 [VRB] Adding 1.1.1.1 as DNS server
2020-05-29 03:23:32.458 +00:00 [VRB] Adding 8.8.4.4 as DNS server
2020-05-29 03:24:16.362 +00:00 [VRB] Checking *.mydomain.com
2020-05-29 03:24:16.367 +00:00 [VRB] Creating certificate order for hosts: ["*.mydomain.com"]
2020-05-29 03:24:16.376 +00:00 [VRB] Loading ACME account signer...
2020-05-29 03:24:16.378 +00:00 [DBG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
2020-05-29 03:24:16.432 +00:00 [VRB] Constructing ACME protocol client...
2020-05-29 03:24:16.439 +00:00 [DBG] Send GET request to "https://acme-v02.api.letsencrypt.org/directory"
2020-05-29 03:24:16.766 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:16.797 +00:00 [DBG] Send HEAD request to "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
2020-05-29 03:24:16.914 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:16.922 +00:00 [DBG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
2020-05-29 03:24:16.999 +00:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/new-order"
2020-05-29 03:24:17.245 +00:00 [VRB] Request completed with status "Created"
2020-05-29 03:24:17.258 +00:00 [VRB] Order https://acme-v02.api.letsencrypt.org/acme/order/816*****/354******* created
2020-05-29 03:24:17.259 +00:00 [VRB] Handle authorization 1/2
2020-05-29 03:24:17.262 +00:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/authz-v3/487*******"
2020-05-29 03:24:17.506 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:17.521 +00:00 [INF] Authorize identifier: mydomain.com
2020-05-29 03:24:17.523 +00:00 [VRB] Challenge types available: ["dns-01"]
2020-05-29 03:24:17.670 +00:00 [INF] Authorizing mydomain.com using dns-01 validation (Route53)
2020-05-29 03:24:18.030 +00:00 [ERR] Error preparing for challenge answer
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Amazon.Util.AWSSDKUtils.ExecuteHttpRequest(Uri uri, String requestType, String content, TimeSpan timeout, IWebProxy proxy, IDictionary`2 headers)
--- End of inner exception stack trace ---
at Amazon.Util.AWSSDKUtils.ExecuteHttpRequest(Uri uri, String requestType, String content, TimeSpan timeout, IWebProxy proxy, IDictionary`2 headers)
at Amazon.Runtime.URIBasedRefreshingCredentialHelper.GetContents(Uri uri, IWebProxy proxy, Dictionary`2 headers)
EDIT #2: I recently added an issue-tagged CAA record for letsencrypt.org to Route53. Still same error.
